Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rawdata may be corrupt

profileaudio
New Member
‎06-05-2013 10:53 PM

Hi anyone and everyone,

Please could somebody help.

I have been using Splunk for the past 2 and a half years.
I am using Splunk 5 and whenever I install a Splunk update over the existing Splunk 5, Splunk starts up as normal but after I perform a search, all the data will show until it gets to a point where it all vanishes and is replaced by the following.

Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'main~178~02C5891B-D87B-444E-9AEC-E9C8E3E45913'. Rawdata may be corrupt, see search.log

At this point I just reinstall the previous version as I need the search data.

As I know I am going to have to update it for good at some point can any one fix this corruption issue?

Kind regards,

Paul

0 Karma
Reply

lukejadamec
Super Champion
‎02-09-2014 10:51 AM

I've run into this before also, and there is a fix IF the actual data in the bucket is not corrupt. If the bucket raw data is truly corrupt, it cannot be fixed.

Here is a good place to read about fixing bad buckets:

http://wiki.splunk.com/Community:PostCrashFsckRepair

The repair routine never worked for me, so I use the rebuild instructions. However, sometimes those also fail for me, so modify the instructions a bit...

First try the instructions as written. If that fails try this on a copy of the bucket.

Remove all files inside the bucket except journal.gz - don't change the folder structure. Run rebuild on the bucket again, and it will be rebuilt from raw data. If that fails, then the data is likely unrecoverable.

Reply

asmithe
Path Finder
‎12-02-2013 09:13 PM

I have this same problem. Any answers?

Updated answer:

Without a service contract it is very difficult to get answers or a solution to this problem that dont include some data loss.

Ultimately, I had to track down the data buckets that had the corrupt data and remove them. Some of my SOS data is also corrupted and i never have gotten around to sorting out which data needs to be gone.

0 Karma
Reply

khyoung7410
Communicator
‎07-08-2018 11:35 PM

I have this same problem. Any answers?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...